Workaround change of behaviour in git 2.38.1 for CVE-2022-39253. #22
Conversation
By default, protocol.file.allow now defaults to user, preventing clones with symlinks. https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253
|
Also reported in CPAN as https://rt.cpan.org/Ticket/Display.html?id=144889, and in Fedora as https://bugzilla.redhat.com/show_bug.cgi?id=2137877. |
|
Adding this proposed patch made Fedora package build: https://koji.fedoraproject.org/koji/buildinfo?buildID=2084874 |
|
Thanks for the fix, picked it up for openSUSE |
https://build.opensuse.org/request/show/1039783 by user coolo + dimstar_suse - Add fix from book/Git-Repository#22 to work around git 2.38.1's new default behaviour (22.patch)
|
As older git versions may be patched, too (e.g. git 2.25.1 found in Ubuntu 20.04 also does not allow file protocol by default) I think it's best to make the configuration change unconditional without a git version check. |
|
See eserte@e957384 for an alternative patch. |
|
Tl;dr: a check for either 2.12.0 or 1.7.2 makes the most sense, though no check at all also makes some sense; whereas a check for 2.38.1 is not a good idea.
That, plus (to spell this out explicitly) the fact the configuration override has no deleterious effect even if passed to an older Git which doesn’t have the 2.38.1 change of default. So there is a good reason to omit the check for 2.38.1, and no real reason reason to include it. (I would however add a comment to explain why the override is there, and that would mention 2.38.1.) If there was to be a version check, it would make more sense to check for a version of Git which supports More strictly relevant might be that |
|
Fixes failures on |
5 participants
By default, protocol.file.allow now defaults to user, preventing clones with symlinks.
https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253
Starting off with this proposal to see what approach would be deemed the best.